Product Documentation

OAuth authentication

The authentication, authorization, and auditing traffic management feature now supports OAuth and OpenID-Connect mechanisms for authenticating and authorizing users to applications that are hosted on applications such as Google, Facebook, and Twitter.

The authentication mehanism facilitates the inline verification of OpenID tokens. The Citrix ADC appliance can be configured to obtain certificates and verify signatures on the token.

A major advantage of using the OAuth and OpenID-Connect mechanisms is that the user information is not sent to the hosted applications and therefore the risk of identity theft is considerably reduced.

The Citrix ADC appliance configured for authentication, authorization, and auditing now accepts incoming tokens that are signed using HMAC HS256 algorithm. In addition, the public keys of the SAML Identity Provider (IdP) are read from a file, instead of learning from an URL endpoint.

In the Citrix ADC implementation, the application to be accessed is represented by the authentication, authorization, and auditing traffic management virtual server. So, to configure OAuth, you must configure an OAuth policy which must then be associated with a authentication, authorization, and auditing traffic management virtual server.

Note

OAuth on Citrix ADC appliance is currently qualified for all SAML IdPs that are compliant with “OpenID connect 2.0”.

To configure OAuth by using the configuration utilty:

  1. Configure the OAuth action and policy.
    Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy, and create a policy with OAuth as the action type, and associate the required OAuth action with the policy.

  2. Associate the OAuth policy with an authentication virtual server.
    Navigate to Security > AAA - Application Traffic > Virtual Servers, and associate the OAuth policy with the authentication virtual server.

Note

Attributes (1 to 16) can be extracted in the OAuth response. Currently these attributes are not evalauted. They are added for the future reference.

To configure OAuth by using the command line interface:

  1. Define an OAuth action.
    add authentication OAuthAction <name> -authorizationEndpoint <URL> -tokenEndpoint <URL> [-idtokenDecryptEndpoint <URL>] -clientID <string> -clientSecret <string> [-defaultAuthenticationGroup <string>][-tenantID <string>][-GraphEndpoint <string>][-refreshInterval <positive_integer>] [-CertEndpoint <string>][-audience <string>][-userNameField <string>][-skewTime <mins>][-issuer <string>][-Attribute1 <string>][-Attribute2 <string>][-Attribute3 <string>]...
  2. Associate the action with an advanced authentication policy.
    add authentication Policy** <name> -rule <expression> -action <string>

    Example

    add authentication oauthAction a -authorizationEndpoint https://example.com/ -tokenEndpoint https://example.com/ -clientiD sadf -clientsecret df
    

For more information on authentication OAuthAction parameters, see “authentication OAuthAction”.

Note

When a certEndpoint is specified, the Citrix ADC appliance polls that endpoint at the configured frequency to learn the keys. To configure a Citrix ADC to read the local file and parse keys from that file, a new configuration option is introduced as follows.

set authentication OAuthAction <> -**CertFilePath** <path to local file with jwks>

Support for encrypted tokens on OpenID connect

The Citrix ADC appliance with OpenID Connect mechanism now supports sending of encrypted tokens along with signed tokens. The Citrix ADC appliance uses JSON web encryption specifications to compute the encrypted tokens and supports only compact serialization of encrypted tokens.

A new attribute “relyingPartyMetadataURL” is introduced in both “add authentication OAuthIDPProfile” and “set authentication OAuthIDPProfile”.

To use this feature, at the command prompt, type:

  • add authentication OAuthIDPProfile <name> [-relyingPartyMetadataURL <URL>]
  • set authentication OAuthIDPProfile <name> [-relyingPartyMetadataURL <URL>]

OAuth authentication